Re: Trace spam activity on mail server

I did a whois on your domain, checked the Trend Micro list, and it was not found.

Replies to this email will be no different than your previous email. Basically all you can do is request the block be removed. These RBLs have little sympathy for those they block.

My best solution for non-reposnse RBLs is to get them removed from any email server that I care about. When you contact an administrator and show that you pass a hundred RBLs, they will either drop the offending RBL that has false positives or whitelist your domain.

Out of three problem RBLs, only one admitted they were the problem and cleared me.

When I first set up my email server, I thought the more RBLs the better. Eventually I learned less is more.
Original Message
From: Matteo Cazzador
Sent: Monday, May 1, 2017 3:36 AM
To: postfix users
Subject: Trace spam activity on mail server

Re: Trace spam activity on mail server

Ok,
This is a little bit off topic for the mail list.

Assuming as you say, you don’t spam…

You may be included in a RBL if you reside on a net block that has a spammer on it.
So while your domain isn’t spamming, if your next door virtual neighbor is… you’re SOL (Shit Out of Luck) until you ask your ISP to move you to another net block, or you find a different Provider.

You can run a check on your MX Server… there are a couple of web sites that do this… and I think one or two will identify the RBLs that include you.

Now, if you have a spammer on your server…

1) Are you an open relay? (Check with one of the MX sites to validate your configuration)

2) Do you host other domains? Anyone of those domains could be listed which means your IP addresses are listed.

3) You said you have a mailing list.
a) How do people subscribe to the list?
b) What’s the purpose of the list?
c) How do you let people unsubscribe?
d) Do you comply with the ‘CAN-SPAM’ law (which isn’t much or that good of a law)

The reason you will find those who run the RBLs to be less than responsive is that Spam has been an ongoing problem for almost 30 years. (Wasn’t the Cantor-Siegel green card spam in ’88 or was it ’89?)
Spamhaus has been around for roughly 20 years. (I met Steve in Madison WI, 19 years ago at a dinner meeting)

I’m sure that every RBL list maintainer has heard every excuse in book including pink contracts from ISPs, which resulted in the IDP (Internet Death Penalty) being created.

While I’ve since moved on and have forgotten what little I knew of Mail Servers, there are things that you should be able to do.

In theory, you can track your outbound email and run a simple counter based on the sender’s info. If you have a spammer on your network, you would be able to see how many emails they send, and how many bcc’s are on each email.

Another thing you can do is to check the domain registration of your clients.
If the domain registration information is bogus, its a good sign you have a spammer.
If the domain registration is blocked, then you should look a little deeper since you’re hosting the domain.
(If you’re in country A, and the person buying access is in country B, that’s another ‘red’ flag. )

That’s pretty much common sense.

Most of the RBLs implement an auto aging policy. Meaning if they don’t get a report that you’re spamming, they will automatically remove your IP from the list unless of course someone else in your netblock is spamming. Then you need to move, maybe even to a new ISP.

Re: Trace spam activity on mail server

On 5/2/2017 9:51 AM, Michael Segel wrote:
> You can run a check on your MX Server… there are a couple of web sites that do this… and I think one or two will identify the RBLs that include you.
One trick I use a lot when I have an infected machine on a network or a
customer with a problem is that I setup a smarthost running a milter
that runs the email through a spam checker, logs the answer and then
tempfails the emails.

Then I can analyze if there is an issue and do a silent discard by
subject or internal IP if we find a compromised machine while letting
everything else go through.

Re: Trace spam activity on mail server

Pretty clean, maybe a few things to fix, but he’s not on any black list.

I don’t know when he set up his domain, it could be that Trend Micro blocked the IP block due to a previous tenant and never took them off.

Truthfully, I don’t use much more than Spamhaus these days. in terms of RBLs.

He’s not running an open relay and if there was a spammer on his network, Spamhaus would have caught it too. Or someone else.

Its not Matteo’s server and I suspect its Trend Micro.

HTH

-Mike

> On May 2, 2017, at 8:56 AM, Kevin A. McGrail <[hidden email]> wrote:
>
> On 5/2/2017 9:51 AM, Michael Segel wrote:
>> You can run a check on your MX Server… there are a couple of web sites that do this… and I think one or two will identify the RBLs that include you.
> One trick I use a lot when I have an infected machine on a network or a customer with a problem is that I setup a smarthost running a milter that runs the email through a spam checker, logs the answer and then tempfails the emails.
>
> Then I can analyze if there is an issue and do a silent discard by subject or internal IP if we find a compromised machine while letting everything else go through.
>
> Regards,
> KAM

Re: Trace spam activity on mail server

On 5/2/2017 10:02 AM, Michael Segel
wrote:

Just to follow up…
I ran the check on his domain:
https://mxtoolbox.com/domain/netlite.it/
Pretty clean, maybe a few things to fix, but he’s not on any black list.
I don’t know when he set up his domain, it could be that Trend Micro blocked the IP block due to a previous tenant and never took them off.
Truthfully, I don’t use much more than Spamhaus these days. in terms of RBLs.
He’s not running an open relay and if there was a spammer on his network, Spamhaus would have caught it too. Or someone else.
Its not Matteo’s server and I suspect its Trend Micro.

Yes, I'm a big fan of MXToolBox. Great tool! I agree, you might
be looking for a ghost in the machine that doesn't exist and it's
a FP from TrendMicro.

Re: Trace spam activity on mail server

Hi, everybody, yes is the first thing i try, i use mxtoolbox
always before every investigation (from 1 year).

For me the problem is related only at spam activity that my
server don't trace or a somthing compromise, like an user account.

But on my server there are no trace of spam.

Or it is a false positive alert, that cause a lot of problem to
my customer.

The domain implicated is not my mail domain but mail server is
the same.

Thanks.

Il 02/05/2017 16:40, Kevin A. McGrail
ha scritto:

On 5/2/2017 10:02 AM, Michael Segel
wrote:

Just to follow up…
I ran the check on his domain:
https://mxtoolbox.com/domain/netlite.it/
Pretty clean, maybe a few things to fix, but he’s not on any black list.
I don’t know when he set up his domain, it could be that Trend Micro blocked the IP block due to a previous tenant and never took them off.
Truthfully, I don’t use much more than Spamhaus these days. in terms of RBLs.
He’s not running an open relay and if there was a spammer on his network, Spamhaus would have caught it too. Or someone else.
Its not Matteo’s server and I suspect its Trend Micro.

Yes, I'm a big fan of MXToolBox. Great tool! I agree, you
might be looking for a ghost in the machine that doesn't exist
and it's a FP from TrendMicro.

You are running with out of date wordpress plugins. Checked a few.
Thats asking for problems. Check you webserver logs for strange/out of the order things.

If you dont use mod security, get it, learn it, install it and stop the wordpress abuse.

Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: [hidden email]> [mailto:[hidden email]] Namens Michael Segel
> Verzonden: dinsdag 2 mei 2017 16:02
> Aan: Kevin A. McGrail
> CC: [hidden email]; Matteo Cazzador; postfix users
> Onderwerp: Re: Trace spam activity on mail server
>
> Just to follow up…
> I ran the check on his domain:
> https://mxtoolbox.com/domain/netlite.it/>
> Pretty clean, maybe a few things to fix, but he’s not on any
> black list.
>
> I don’t know when he set up his domain, it could be that
> Trend Micro blocked the IP block due to a previous tenant and
> never took them off.
>
> Truthfully, I don’t use much more than Spamhaus these days.
> in terms of RBLs.
>
> He’s not running an open relay and if there was a spammer on
> his network, Spamhaus would have caught it too. Or someone else.
>
> Its not Matteo’s server and I suspect its Trend Micro.
>
> HTH
>
> -Mike
>
> > On May 2, 2017, at 8:56 AM, Kevin A. McGrail
> <[hidden email]> wrote:
> >
> > On 5/2/2017 9:51 AM, Michael Segel wrote:
> >> You can run a check on your MX Server… there are a couple
> of web sites that do this… and I think one or two will
> identify the RBLs that include you.
> > One trick I use a lot when I have an infected machine on a
> network or a customer with a problem is that I setup a
> smarthost running a milter that runs the email through a spam
> checker, logs the answer and then tempfails the emails.
> >
> > Then I can analyze if there is an issue and do a silent
> discard by subject or internal IP if we find a compromised
> machine while letting everything else go through.
> >
> > Regards,
> > KAM
>
>

Re: Trace spam activity on mail server

While mxtoolbox looks complete, there are more RBLs than on their list. I never knew Trend Micro had a RBL. ‎

‎Spamrl.com is one I can't stay off of. They do honor their one week reprieve. Like I said, I managed to get them removed from servers that I communicate with. There are over a hundred RBLs. If one is a problem child, dump it.

Pulled right from their website.
"Unfortunately, we cannot disclose any details about WHY your IP has a bad reputation.‎"

Pretty clean, maybe a few things to fix, but he’s not on any black list.

I don’t know when he set up his domain, it could be that Trend Micro blocked the IP block due to a previous tenant and never took them off.

Truthfully, I don’t use much more than Spamhaus these days. in terms of RBLs.

He’s not running an open relay and if there was a spammer on his network, Spamhaus would have caught it too. Or someone else.

Its not Matteo’s server and I suspect its Trend Micro.

HTH

-Mike

> On May 2, 2017, at 8:56 AM, Kevin A. McGrail <[hidden email]> wrote:
>
> On 5/2/2017 9:51 AM, Michael Segel wrote:
>> You can run a check on your MX Server… there are a couple of web sites that do this… and I think one or two will identify the RBLs that include you.
> One trick I use a lot when I have an infected machine on a network or a customer with a problem is that I setup a smarthost running a milter that runs the email through a spam checker, logs the answer and then tempfails the emails.
>
> Then I can analyze if there is an issue and do a silent discard by subject or internal IP if we find a compromised machine while letting everything else go through.
>
> Regards,
> KAM

Re: Trace spam activity on mail server

> So far i can see, is your web site the target not you mail server.
>
> I personaly use : http://multirbl.valli.org/lookup/netlite.it.html> About the same as mx toolbox, but i did notice that the list of multirbl is much shorted when the domainname is used.
> If i check with this hostname: mail.netlite.it (212.29.157.98)
> http://multirbl.valli.org/lookup/212.29.157.98.html>
> DNSBL Blacklist Test Summary
> Ip based: 231 of 231 tests done.
> Domain base: 49 of 49 tests done.
> Result, not listed anywere.
>
> You are running with out of date wordpress plugins. Checked a few.
> Thats asking for problems. Check you webserver logs for strange/out of the order things.
>
> If you dont use mod security, get it, learn it, install it and stop the wordpress abuse.
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: [hidden email]>> [mailto:[hidden email]] Namens Michael Segel
>> Verzonden: dinsdag 2 mei 2017 16:02
>> Aan: Kevin A. McGrail
>> CC: [hidden email]; Matteo Cazzador; postfix users
>> Onderwerp: Re: Trace spam activity on mail server
>>
>> Just to follow up…
>> I ran the check on his domain:
>> https://mxtoolbox.com/domain/netlite.it/>>
>> Pretty clean, maybe a few things to fix, but he’s not on any
>> black list.
>>
>> I don’t know when he set up his domain, it could be that
>> Trend Micro blocked the IP block due to a previous tenant and
>> never took them off.
>>
>> Truthfully, I don’t use much more than Spamhaus these days.
>> in terms of RBLs.
>>
>> He’s not running an open relay and if there was a spammer on
>> his network, Spamhaus would have caught it too. Or someone else.
>>
>> Its not Matteo’s server and I suspect its Trend Micro.
>>
>> HTH
>>
>> -Mike
>>
>>> On May 2, 2017, at 8:56 AM, Kevin A. McGrail
>> <[hidden email]> wrote:
>>> On 5/2/2017 9:51 AM, Michael Segel wrote:
>>>> You can run a check on your MX Server… there are a couple
>> of web sites that do this… and I think one or two will
>> identify the RBLs that include you.
>>> One trick I use a lot when I have an infected machine on a
>> network or a customer with a problem is that I setup a
>> smarthost running a milter that runs the email through a spam
>> checker, logs the answer and then tempfails the emails.
>>> Then I can analyze if there is an issue and do a silent
>> discard by subject or internal IP if we find a compromised
>> machine while letting everything else go through.
>>> Regards,
>>> KAM
>>

Re: Trace spam activity on mail server

I don't find any site compromise, i try to write

to Trend Micro for the third time......

Thanks everybody.

Il 02/05/2017 17:03, Matteo Cazzador ha scritto:

> This i s very interesting thanks i follow this suggest.
>
> I was moving on wrog way.
>
> Thanks
>
>
> Il 02/05/2017 16:52, L.P.H. van Belle ha scritto:
>> So far i can see, is your web site the target not you mail server.
>>
>> I personaly use : http://multirbl.valli.org/lookup/netlite.it.html>> About the same as mx toolbox, but i did notice that the list of
>> multirbl is much shorted when the domainname is used.
>> If i check with this hostname: mail.netlite.it (212.29.157.98)
>> http://multirbl.valli.org/lookup/212.29.157.98.html>>
>> DNSBL Blacklist Test Summary
>> Ip based: 231 of 231 tests done.
>> Domain base: 49 of 49 tests done.
>> Result, not listed anywere.
>>
>> You are running with out of date wordpress plugins. Checked a few.
>> Thats asking for problems. Check you webserver logs for strange/out
>> of the order things.
>>
>> If you dont use mod security, get it, learn it, install it and stop
>> the wordpress abuse.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: [hidden email]>>> [mailto:[hidden email]] Namens Michael Segel
>>> Verzonden: dinsdag 2 mei 2017 16:02
>>> Aan: Kevin A. McGrail
>>> CC: [hidden email]; Matteo Cazzador; postfix users
>>> Onderwerp: Re: Trace spam activity on mail server
>>>
>>> Just to follow up…
>>> I ran the check on his domain:
>>> https://mxtoolbox.com/domain/netlite.it/>>>
>>> Pretty clean, maybe a few things to fix, but he’s not on any
>>> black list.
>>>
>>> I don’t know when he set up his domain, it could be that
>>> Trend Micro blocked the IP block due to a previous tenant and
>>> never took them off.
>>>
>>> Truthfully, I don’t use much more than Spamhaus these days.
>>> in terms of RBLs.
>>>
>>> He’s not running an open relay and if there was a spammer on
>>> his network, Spamhaus would have caught it too. Or someone else.
>>>
>>> Its not Matteo’s server and I suspect its Trend Micro.
>>>
>>> HTH
>>>
>>> -Mike
>>>
>>>> On May 2, 2017, at 8:56 AM, Kevin A. McGrail
>>> <[hidden email]> wrote:
>>>> On 5/2/2017 9:51 AM, Michael Segel wrote:
>>>>> You can run a check on your MX Server… there are a couple
>>> of web sites that do this… and I think one or two will
>>> identify the RBLs that include you.
>>>> One trick I use a lot when I have an infected machine on a
>>> network or a customer with a problem is that I setup a
>>> smarthost running a milter that runs the email through a spam
>>> checker, logs the answer and then tempfails the emails.
>>>> Then I can analyze if there is an issue and do a silent
>>> discard by subject or internal IP if we find a compromised
>>> machine while letting everything else go through.
>>>> Regards,
>>>> KAM
>>>
>

Re: Trace spam activity on mail server

First, honey pots aren’t an issue and spoofing an IP address is fairly easy to pickup.

As to spam is in the eye of the beholder, if you go back to my questions…

You’ll see that I asked about the OP’s mail list.

Free clue… if you purchased a list of potential customers… you’re a spammer.
If you scraped email addresses. You’re a spammer.

If you just moved the the IP block, request a new block. Or a new ISP.

But I’d also make sure you’re running a clean shop too.

> On May 2, 2017, at 10:00 AM, Kevin A. McGrail <[hidden email]> wrote:
>
> On 5/2/2017 10:56 AM, [hidden email] wrote:
>> Would a spammy email server only trigger one RBL?
>
> Sure.
>
> Spam is often in the eye of the beholder, people use different feeds, different policies, purposes, etc.
>
> I wouldn't discount it that it's an issue just because it's only on one RBL. I'm a public mirror for quite a few and the overlap is not as high as one might think.
>
> Regards,
> KAM
>

Re: Trace spam activity on mail server

My point was some prankster and/or whitelist service could ‎spam the honeypot with your credentials forged. That is a great way for a white list service to get customers.

Without knowing the setup of the honeypot, it could be spoofed. These RBLs shoot first and ask questions later.

Anyway, destroying the spamrl.com customer base one customer at a time works for me. A google search will find plenty of false positive complaints.

Requesting a new IP just leaves the problem for the next owner. I managed to free up a block of Digital Ocean IP space by convincing one RBL that they were wrong regarding the IP space. Granted Digital Ocean should have done that.

I never used any customer list nor scraped email addresses.

The reality is these RBLs aren't bug free, and they never provide evidence of spamming. They prefer you go on a wild goose chase. Mind you any time I report a hack, I provide log data. That is how it should be done.

Two easy things to harden your server:
1) no web mail
2) all accounts use TLS

First, honey pots aren’t an issue and spoofing an IP address is fairly easy to pickup.

As to spam is in the eye of the beholder, if you go back to my questions…

You’ll see that I asked about the OP’s mail list.

Free clue… if you purchased a list of potential customers… you’re a spammer.
If you scraped email addresses. You’re a spammer.

If you just moved the the IP block, request a new block. Or a new ISP.

But I’d also make sure you’re running a clean shop too.

> On May 2, 2017, at 10:00 AM, Kevin A. McGrail <[hidden email]> wrote:
>
> On 5/2/2017 10:56 AM, [hidden email] wrote:
>> Would a spammy email server only trigger one RBL?
>
> Sure.
>
> Spam is often in the eye of the beholder, people use different feeds, different policies, purposes, etc.
>
> I wouldn't discount it that it's an issue just because it's only on one RBL. I'm a public mirror for quite a few and the overlap is not as high as one might think.
>
> Regards,
> KAM
>

Re: Trace spam activity on mail server

I got what you were saying.

What you’re talking about is known as a Joe Job.
And its harder to do because its easier to spot fake headers these days.
So while its possible, its highly improbable and if it were done, it wouldn’t be on a single RBL.

As to RBL services… yes, over time, some get dropped because they become stale and aren’t being maintained. Some have nut jobs running them.

Trend Micro doesn’t fit in to those categories.

I agree to using TLS as a way to harden the security, but depending on the web mail server … YMMV.

There’s a reason why the RBLs don’t provide the ‘evidence’. Spammers are cockroaches, but they also learn from their mistakes.
Right now I’m working on my new server and its set up as my secondary MX. Already I have spammers hitting this machine and it looks like they are bypassing my primary server altogether.

You are correct, the owner of the Netblock is ultimately responsible. So you should be able to get a new net block and let Digital Ocean worry.

> On May 2, 2017, at 3:07 PM, [hidden email] wrote:
>
> My point was some prankster and/or whitelist service could ‎spam the honeypot with your credentials forged. That is a great way for a white list service to get customers.
>
> Without knowing the setup of the honeypot, it could be spoofed. These RBLs shoot first and ask questions later.
>
> Anyway, destroying the spamrl.com customer base one customer at a time works for me. A google search will find plenty of false positive complaints.
>
> Requesting a new IP just leaves the problem for the next owner. I managed to free up a block of Digital Ocean IP space by convincing one RBL that they were wrong regarding the IP space. Granted Digital Ocean should have done that.
>
> I never used any customer list nor scraped email addresses.
>
> The reality is these RBLs aren't bug free, and they never provide evidence of spamming. They prefer you go on a wild goose chase. Mind you any time I report a hack, I provide log data. That is how it should be done.
>
> Two easy things to harden your server:
> 1) no web mail
> 2) all accounts use TLS
>
>
>
> Original Message
> From: Michael Segel
> Sent: Tuesday, May 2, 2017 9:02 AM
> To: Kevin A. McGrail
> Cc: [hidden email]; Matteo Cazzador; postfix users
> Subject: Re: Trace spam activity on mail server
>
> First, honey pots aren’t an issue and spoofing an IP address is fairly easy to pickup.
>
> As to spam is in the eye of the beholder, if you go back to my questions…
>
> You’ll see that I asked about the OP’s mail list.
>
> Free clue… if you purchased a list of potential customers… you’re a spammer.
> If you scraped email addresses. You’re a spammer.
>
>
> If you just moved the the IP block, request a new block. Or a new ISP.
>
> But I’d also make sure you’re running a clean shop too.
>
>> On May 2, 2017, at 10:00 AM, Kevin A. McGrail <[hidden email]> wrote:
>>
>> On 5/2/2017 10:56 AM, [hidden email] wrote:
>>> Would a spammy email server only trigger one RBL?
>>
>> Sure.
>>
>> Spam is often in the eye of the beholder, people use different feeds, different policies, purposes, etc.
>>
>> I wouldn't discount it that it's an issue just because it's only on one RBL. I'm a public mirror for quite a few and the overlap is not as high as one might think.
>>
>> Regards,
>> KAM
>>
>

What you’re talking about is known as a Joe Job.
And its harder to do because its easier to spot fake headers these days.
So while its possible, its highly improbable and if it were done, it wouldn’t be on a single RBL.

As to RBL services… yes, over time, some get dropped because they become stale and aren’t being maintained. Some have nut jobs running them.

Trend Micro doesn’t fit in to those categories.

I agree to using TLS as a way to harden the security, but depending on the web mail server … YMMV.

There’s a reason why the RBLs don’t provide the ‘evidence’. Spammers are cockroaches, but they also learn from their mistakes.
Right now I’m working on my new server and its set up as my secondary MX. Already I have spammers hitting this machine and it looks like they are bypassing my primary server altogether.

You are correct, the owner of the Netblock is ultimately responsible. So you should be able to get a new net block and let Digital Ocean worry.

> On May 2, 2017, at 3:07 PM, [hidden email] wrote:
>
> My point was some prankster and/or whitelist service could ‎spam the honeypot with your credentials forged. That is a great way for a white list service to get customers.
>
> Without knowing the setup of the honeypot, it could be spoofed. These RBLs shoot first and ask questions later.
>
> Anyway, destroying the spamrl.com customer base one customer at a time works for me. A google search will find plenty of false positive complaints.
>
> Requesting a new IP just leaves the problem for the next owner. I managed to free up a block of Digital Ocean IP space by convincing one RBL that they were wrong regarding the IP space. Granted Digital Ocean should have done that.
>
> I never used any customer list nor scraped email addresses.
>
> The reality is these RBLs aren't bug free, and they never provide evidence of spamming. They prefer you go on a wild goose chase. Mind you any time I report a hack, I provide log data. That is how it should be done.
>
> Two easy things to harden your server:
> 1) no web mail
> 2) all accounts use TLS
>
>
>
> Original Message
> From: Michael Segel
> Sent: Tuesday, May 2, 2017 9:02 AM
> To: Kevin A. McGrail
> Cc: [hidden email]; Matteo Cazzador; postfix users
> Subject: Re: Trace spam activity on mail server
>
> First, honey pots aren’t an issue and spoofing an IP address is fairly easy to pickup.
>
> As to spam is in the eye of the beholder, if you go back to my questions…
>
> You’ll see that I asked about the OP’s mail list.
>
> Free clue… if you purchased a list of potential customers… you’re a spammer.
> If you scraped email addresses. You’re a spammer.
>
>
> If you just moved the the IP block, request a new block. Or a new ISP.
>
> But I’d also make sure you’re running a clean shop too.
>
>> On May 2, 2017, at 10:00 AM, Kevin A. McGrail <[hidden email]> wrote:
>>
>> On 5/2/2017 10:56 AM, [hidden email] wrote:
>>> Would a spammy email server only trigger one RBL?
>>
>> Sure.
>>
>> Spam is often in the eye of the beholder, people use different feeds, different policies, purposes, etc.
>>
>> I wouldn't discount it that it's an issue just because it's only on one RBL. I'm a public mirror for quite a few and the overlap is not as high as one might think.
>>
>> Regards,
>> KAM
>>
>

Re: Trace spam activity on mail server

> While mxtoolbox looks complete, there are more RBLs than on their
> list. I never knew Trend Micro had a RBL. ‎

Funny story: technically Trend Micro has the ONLY "RBL" because that's a
registered trademark. They bought that trademark along with all of the
other intellectual property and ongoing operations of Mail Abuse
Prevention Systems, L.L.C. ~15 years ago. MAPS was a not-for-profit
founded by Paul Vixie, who invented the DNSBL mechanism and ran the
first DNSBL: the Realtime Blackhole List, a.k.a. RBL.

As far as I can tell, the active defense of that trademark has been
almost invisible for over a decade, so while DNSBL is the formally
correct generic term, RBL may not even be legally defensible as a
trademark any more but one of the Trend Micro DNSBL's is actually named
RBL.

> ‎Spamrl.com is one I can't stay off of. They do honor their one week
> reprieve. Like I said, I managed to get them removed from servers that
> I communicate with. There are over a hundred RBLs. If one is a problem
> child, dump it.
>
> Pulled right from their website.
> "Unfortunately, we cannot disclose any details about WHY your IP has a
> bad reputation.‎"
>
> This thread is about spamrl.com, and no, I'm not a participant in the
> thread.
> http://www.webhostingtalk.com/showthread.php?t=1598238‎>
> Supposedly spamrl.com uses honeypots, which makes me wonder if a
> prankster can spoof headers and spam the honeypots just to drum up
> customers for commercial white lists.

The spamrl.com operation is just an alternative face for spamexperts.com
and one of their inputs is feedback from customers, who can report
errors in their filtering to spamrl.com addresses for mitigation.

Re: Trace spam activity on mail server

Bill, you’d probably know some of the spammer domains where they complained about spamhaus and other RBLs…

Its been a while since I followed all of this stuff from Usenet days…

> On May 3, 2017, at 10:25 AM, Bill Cole <[hidden email]> wrote:
>
> On 2 May 2017, at 10:56, [hidden email] wrote:
>
>> Would a spammy email server only trigger one RBL?
>
> Sure.
>
>> While mxtoolbox looks complete, there are more RBLs than on their list. I never knew Trend Micro had a RBL. ‎
>
> Funny story: technically Trend Micro has the ONLY "RBL" because that's a registered trademark. They bought that trademark along with all of the other intellectual property and ongoing operations of Mail Abuse Prevention Systems, L.L.C. ~15 years ago. MAPS was a not-for-profit founded by Paul Vixie, who invented the DNSBL mechanism and ran the first DNSBL: the Realtime Blackhole List, a.k.a. RBL.
>
> As far as I can tell, the active defense of that trademark has been almost invisible for over a decade, so while DNSBL is the formally correct generic term, RBL may not even be legally defensible as a trademark any more but one of the Trend Micro DNSBL's is actually named RBL.
>
>> ‎Spamrl.com is one I can't stay off of. They do honor their one week reprieve. Like I said, I managed to get them removed from servers that I communicate with. There are over a hundred RBLs. If one is a problem child, dump it.
>>
>> Pulled right from their website.
>> "Unfortunately, we cannot disclose any details about WHY your IP has a bad reputation.‎"
>>
>> This thread is about spamrl.com, and no, I'm not a participant in the thread.
>> http://www.webhostingtalk.com/showthread.php?t=1598238‎>>
>> Supposedly spamrl.com uses honeypots, which makes me wonder if a prankster can spoof headers and spam the honeypots just to drum up customers for commercial white lists.
>
> The spamrl.com operation is just an alternative face for spamexperts.com and one of their inputs is feedback from customers, who can report errors in their filtering to spamrl.com addresses for mitigation.

Re: Trace spam activity on mail server

Regarding spamrl.com / spamexperts, their customer tools don't work. The only solution is to drop them. On and off, months were wasted with those clowns.

I'm assuming the customer never sees the dictionary search attempts, so the problem is their crappy software. Now I have caught snow shoe type dictionary searches coming from Digital Ocean IP space. The hackers buy three to as many as eight "droplets". I report them and DO does shut them down. It is possible spamrl.com just seems the entire DO IP space toxic, but then again they should provide a functional whitelist procedure.

This VPS race to the bottom is a problem. With OVH under $5, it looks like there is no floor, and you can't police your customers with pocket change revenue.

> While mxtoolbox looks complete, there are more RBLs than on their
> list. I never knew Trend Micro had a RBL. ‎

Funny story: technically Trend Micro has the ONLY "RBL" because that's a
registered trademark. They bought that trademark along with all of the
other intellectual property and ongoing operations of Mail Abuse
Prevention Systems, L.L.C. ~15 years ago. MAPS was a not-for-profit
founded by Paul Vixie, who invented the DNSBL mechanism and ran the
first DNSBL: the Realtime Blackhole List, a.k.a. RBL.

As far as I can tell, the active defense of that trademark has been
almost invisible for over a decade, so while DNSBL is the formally
correct generic term, RBL may not even be legally defensible as a
trademark any more but one of the Trend Micro DNSBL's is actually named
RBL.

> ‎Spamrl.com is one I can't stay off of. They do honor their one week
> reprieve. Like I said, I managed to get them removed from servers that
> I communicate with. There are over a hundred RBLs. If one is a problem
> child, dump it.
>
> Pulled right from their website.
> "Unfortunately, we cannot disclose any details about WHY your IP has a
> bad reputation.‎"
>
> This thread is about spamrl.com, and no, I'm not a participant in the
> thread.
> http://www.webhostingtalk.com/showthread.php?t=1598238‎>
> Supposedly spamrl.com uses honeypots, which makes me wonder if a
> prankster can spoof headers and spam the honeypots just to drum up
> customers for commercial white lists.

The spamrl.com operation is just an alternative face for spamexperts.com
and one of their inputs is feedback from customers, who can report
errors in their filtering to spamrl.com addresses for mitigation.